Artificial intelligence based hierarchical service awareness engine

ABSTRACT

Systems and methods are provided for recognition of an application in communication traffic flow in a network using an artificial intelligence (AI) based hierarchical service awareness engine. A decode equivalent class (DEC) can be used to provide information on the application. A DEC corresponds to a class of traffic that is mapped to an artificial intelligence (AI) model associated with parameters related to the class of traffic. DEC information can be fed to an AI model set and an inference model can be derived from a AI model of the AI model set corresponding to a DEC. The inference model can be provided to a gateway of the network to recognize a specific application of a service in communication flows. In various embodiments, in training the AI models, the gateway can provide DEC information for the AI model set from classifying flows of data traffic received from the network into DECs.

FIELD OF THE INVENTION

The present disclosure is related to data communications and, inparticular, service awareness in data communications.

BACKGROUND

The number of mobile applications for mobile devices is exponentiallyincreasing. At the same time, service operators desire a network to beable to recognize what the service operators consider to be importantapplications to provide different service treatments with respect tothese applications. For example, some operators may offer packagedservices, which may include free data usages for particularapplications. For this type of provisioning, operators may look to thenetwork to be able to detect a specific application in less than tenpackets for billing purposes, for example.

Some application providers have numerous applications. Google™, forexample, hosts many applications, such as Gmail™, Google Drive™,Youtube™, Google Map™, Google Hangout™ etc. These applications can sharecommon content delivery network (CDN) servers. With this sharing,recognizing one application, such as the Google map application, in nearreal time becomes challenging. In addition, encryption of traffic isincreasing. It has been predicted that by 2019, 80% of network trafficwill be encrypted. With the deployment of the newest versions oftransport layer security (TLS), which is an encryption protocol thatprovides communications security over a network, and the deployment ofquick UDP (User Datagram Protocol) internet connections (QUIC), which isa transport layer network protocol, accurately recognizing anapplication becomes more difficult.

SUMMARY

Systems and methods are provided for recognition of an application incommunication traffic flow in a network using an artificial intelligence(AI) based hierarchical service awareness engine. In a hierarchicalservice awareness engine, decode equivalent classes (DECs) thatcorrespond to AI models and parameters can be used in the recognition ofthe applications in data flows. DEC Information can be provided to trainAI models from which inference models are generated. The inferencemodels can be used by gateways in the network to recognize applicationsin the data flow in the gateways, allowing operators at the gateways amechanism to apply a service treatment to the communication flowassociated with the recognized application. Results from using DECs inthe gateways in the network can be used to further train the AI models,which AI models, in turn, provide the interference models and updates tothe inference models to the gateways.

According to one aspect of the present disclosure, there is provided asystem, the system comprising: a memory storage comprising instructions;and one or more processors in communication with the memory storage,wherein the one or more processors execute the instructions to: obtaindecode equivalent class (DEC) information from data traffic receivedfrom a network; feed portions of the received data traffic to anartificial intelligence (AI) model set based on results from theobtainment of the DEC information, each portion associated with an AImodel of the AI model set; derive, using each AI model of the AI modelset, an inference model corresponding to the DEC associated with each AImodel, the inference model recognizing a service and a specificapplication of the service; and handle deployment of one or moreinference models to one or more user plane function (UPF) gateways.

Optionally, in any of the preceding aspects, another implementation ofthe aspect provides that the one or more processors execute instructionsto trigger deployment of an inference model update to the one or moreUPF gateways upon generation of the inference model updates.

Optionally, in any of the preceding aspects, a further implementation ofthe aspect provides that the one or more processors execute instructionsto receive UPF gateway information from a newly added UPF gateway.

Optionally, in any of the preceding aspects, a further implementation ofthe aspect provides that the received UPF gateway information includescommunication manner information for the newly added UPF gateway.

Optionally, in any of the preceding aspects, a further implementation ofthe aspect provides that the instructions are executable by the one ormore processors to perform operations as a DEC controller, managingmultiple UPF gateways and the AI model set.

Optionally, in any of the preceding aspects, a further implementation ofthe aspect provides that the operations as a DEC controller includeoperations to: acquire inputs on an application of interest and inputsfor an AI model associated with the application of interest; create theAI model in the system corresponding to parameters associated with theapplication of interest for inclusion in the AI model set; and installrules at the one or more UPF gateways to include the application ofinterest for DEC classification at the one or more UPF gateways.

Optionally, in any of the preceding aspects, a further implementation ofthe aspect provides that the operations as a DEC controller includeoperations to create or delete inference models in a UPF gateway.

Optionally, in any of the preceding aspects, a further implementation ofthe aspect provides that the obtainment of the DEC information includesreading a packet header to extract the DEC information or using machinelearning to deduce the DEC information.

Optionally, in any of the preceding aspects, a further implementation ofthe aspect provides that the obtainment of the DEC information includesreading a packet having the DEC listed in a hypertext transfer protocol(HTTP) custom header.

According to one aspect of the present disclosure, there is provided agateway, the gateway comprising: a memory storage comprisinginstructions; and one or more processors in communication with thememory storage, wherein the one or more processors execute theinstructions to: classify flows of data traffic received from a networkinto decode equivalent class (DECs); selectively direct the flows toartificial intelligence (AI) models in a system exterior to the gateway,based on the classification of the flows; send the flows to an inferencemodels set in the gateway, based on the classification of the flows,along with DEC information corresponding to each inference model of theinference models set, each inference model recognizing a service and aspecific application of the service; and manage each inference model ofthe inference models set in response to receiving an update for eachinference model.

Optionally, in any of the preceding aspects, another implementation ofthe aspect provides that the one or more processors classify the flowsof data traffic based on information in a stored policy that specifiestypes of applications to classify.

Optionally, in any of the preceding aspects, a further implementation ofthe aspect provides that the one or more processors classify flows ofdata into DECs based on domain name system messages via regularexpression checkup.

Optionally, in any of the preceding aspects, a further implementation ofthe aspect provides that the one or more processors selectively directthe flows to the AI models by sending a part of the flows to the AImodels.

Optionally, in any of the preceding aspects, a further implementation ofthe aspect provides that the flows to the AI models include a packetheader for an individual flow having DEC information associated with theindividual flow or a hypertext transfer protocol (HTTP) custom headerfor an individual flow having the DEC corresponding to the individualflow.

According to one aspect of the present disclosure, there is provided acomputer-implemented method for operating a system to recognize anapplication in network data flows , the computer-implemented methodcomprising: obtaining, with one or more processors, decode equivalentclass (DEC) information from data traffic received from a network;feeding, with the one or more processors, portions of the received datatraffic to an artificial intelligence (AI) model set based on resultsfrom the obtainment of the DEC information, each portion associated withan AI model of the AI model set; deriving, using each AI model of the AImodel set, an inference model corresponding to the DEC associated witheach AI model, the inference model recognizing a service and a specificapplication of the service; and handling, with the one or moreprocessors, deployment of one or more inference models to one or moreuser plane function (UPF) gateways.

Optionally, in any of the preceding aspects, another implementation ofthe aspect provides that the computer-implemented method includestriggering deployment of an inference model update to the one or moreUPF gateways upon generation of the inference model update.

Optionally, in any of the preceding aspects, a further implementation ofthe aspect provides that the computer-implemented method includesreceiving UPF gateway information from a newly added UPF gateway.

Optionally, in any of the preceding aspects, a further implementation ofthe aspect provides that the computer-implemented method includesperforming operations as a DEC controller to manage multiple UPFgateways and the AI model set.

Optionally, in any of the preceding aspects, a further implementation ofthe aspect provides that performing the operations as the DEC controllerinclude: acquiring inputs on an application of interest and inputs foran AI model associated with the application of interest; creating the AImodel in the system corresponding to parameters associated with theapplication of interest for inclusion in the AI model set; andinstalling rules at the one or more UPF gateways to include theapplication of interest for DEC classification at the one or more UPFgateways.

Optionally, in any of the preceding aspects, a further implementation ofthe aspect provides that performing the operations as the DEC controllerincludes creating or deleting inference models in a UPF gateway.

Any one of the foregoing examples may be combined with any one or moreof the other foregoing examples to create a new embodiment within thescope of the present disclosure.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates an example of a high level architecture of anartificial intelligence based hierarchical service awareness engine,according to an example embodiment.

FIG. 2 illustrates an example of a decode equivalent class basedclassification framework, according to an example embodiment.

FIG. 3 is a representation of an example implementation of cloud basedor centralized artificial intelligence models for a services awarenessengine, according to an example embodiment.

FIG. 4 is an example user plane function gateway that can operate with acloud in which artificial intelligence models are disposed, according toan example embodiment.

FIG. 5 is an illustration of an example decode equivalent classcontroller that interacts with artificial intelligence models andinteracts with a number of user plane function gateways, according to anexample embodiment.

FIG. 6 illustrates an example approach to carry a decode equivalentclass identification from a packet header, according to an exampleembodiment.

FIG. 7 is a flow diagram of an example method of operating a system toenable recognition of an application in network data flows, according toan example embodiment.

FIG. 8 is a flow diagram of an example method of operating a gatewayenabled to recognize an application in network data flows, according toan example embodiment.

FIG. 9 is a block diagram illustrating circuitry for devices forimplementing algorithms and performing methods of providing artificialintelligence based hierarchical service awareness, according to anexample embodiment.

DETAILED DESCRIPTION

In the following description, reference is made to the accompanyingdrawings that form a part hereof, and in which is shown by way ofillustration specific embodiments which may be practiced. Theseembodiments are described in sufficient detail to enable those skilledin the art to practice the embodiments, and it is to be understood thatother embodiments may be utilized, and that structural, logical andelectrical changes may be made. The following description of exampleembodiments is, therefore, not to be taken in a limited sense.

The functions or algorithms described herein may be implemented insoftware in an embodiment. The software may comprise computer executableinstructions stored on computer readable media or computer readablestorage device such as one or more non-transitory memories or other typeof hardware based storage devices, either local or networked. Further,such functions correspond to modules, which may be software, hardware,firmware or any combination thereof. Multiple functions may be performedin one or more modules as desired, and the embodiments described aremerely examples. The software may be executed on a digital signalprocessor, ASIC, microprocessor, or other type of processor operating ona computer system, such as a personal computer, server or other computersystem, turning such computer system into a specifically programmedmachine.

Computer-readable non-transitory media includes all types of computerreadable media, including magnetic storage media, optical storage media,and solid state storage media and specifically excludes signals. Itshould be understood that the software can be installed in and sold withthe devices that handle event streams as taught herein. Alternatively,the software can be obtained and loaded into such devices, includingobtaining the software via a disc medium or from any manner of networkor distribution system, including, for example, from a server owned bythe software creator or from a server not owned but used by the softwarecreator. The software can be stored on a server for distribution overthe Internet, for example.

In various embodiments, an AI based hierarchical service awareness (SA)engine can be implemented to improve SA accuracy, achieve shortinference time to recognize services, and enable real time deployment innext generation mobile networks. AI is machine intelligence thatincludes a number of sub-fields including machine learning and variousforms of neural networks. AI effectively includes the simulation ofhuman intelligence processes by machines, where such processes includelearning, which is the acquisition of information and rules for usingthe information, reasoning which is using the rules to reach approximateor definite conclusions, and self-correction. Service awareness is therecognition of the kind of service that is carried in a traffic flowbeing processed. A service awareness engine is a mechanism that enablesservice awareness. A framework is provided that categorizes applicationsinto decoder equivalent classes (DECs). A DEC corresponds to a class oftraffic that is mapped to an AI model associated with parameters relatedto the class of traffic. With each individual DEC having an AI modelassigned to it with associated parameters for the individual DEC, AImodel simplification can be achieved for each DEC in comparison to asingle AI model for all corresponding classes of traffic. Implementationof an AI model for each individual DEC can reduce both training andinference time, along with achieving high accuracy. The framework mayinclude cloud-based training of AI models, centralized model repository,and a per gateway (GW) deployment to enable fast response time and meetmobile core network needs.

FIG. 1 illustrates an embodiment of an example of a high levelarchitecture of an AI based hierarchical SA engine. In this figure, thehierarchical SA engine based architecture is for a fifth generationwireless (5G) network 100. The 5G network 100 can include a cloud 105operatively in communication with a number of next generation Node Bs(gNBs) 132-1, 132-2 . . . 132-R and a number of gateways 120-0, 120-1,120-2 . . . 120-M. A Node B is a term to denote a base station inuniversal mobile telecommunications system (UMTS) terminology. The NodeB is responsible for the radio link between a mobile user and a fixedpart of the network. In 5G terminology, a gateway can be referred to asa UPF, which is short for a user plane function (UPF) gateway. A userplane function supports features and capabilities to facilitate userplane operation such as packet routing and forwarding, packetinspection, QoS handling, policy enforcement, data buffering, andinterconnection to a data network, among other features. UPF 120-0 canbe disposed as part of cloud 105 and can be coupled to a GiLAN, which isan operator host of services.

An AI based hierarchical SA engine can comprise AI training models115-1, 115-2, 115-3 . . . 115-N with associated parameters and inference(IF) models. The AI training models with associated parameters can bedeployed at a cloud 105 or other centralized location and IF models canbe deployed at gateways 120-0, 120-1, 120-2 . . . 120-M. In a 5Gnetwork, UPFs can be deployed in mobile core networks or in multi-accessedge computing (MEC) environments. MEC is an approach to a networkarchitecture to enable cloud computing capabilities and an informationtechnology (IT) service environment at the edge of a network, such asbut not limited to a cellular network. MEC may be implemented to runapplications and perform related processing tasks closer to the networkcustomer, which should result in reduction to network congestion andenhanced application performance. MEC technology can be implemented atcellular base stations or other edge nodes and enables flexible andrapid deployment of new applications and services for customers.Combining elements of information technology and telecommunicationsnetworking, MEC also allows cellular operators to open their radioaccess network (RAN) to authorized third-parties, such as applicationdevelopers and content providers.

The hierarchical SA engine, as taught herein, operates based on DECs.Applications of interest can be classified into different DECs based ontheir characteristics. Applications from each DEC can be classified viaan AI model plus parameters for the AI model. The output of the AI modelcan be a final classified application that can be used in gateways, butcan be further trained for updating. Multiple AI models 115-1, 115-2,115-3 . . . 115-N, which can be part of the SA engine, can be used toprovide IF models to UPFs 120-0, 120-1, 120-2 . . . 120-M, where the IFmodels can be updated from AI models 115-1, 115-2, 115-3 . . . 115-Nthat are continuing to be trained. At UPFs 120-0, 120-1, 120-2 . . .120-M, IF models can be used to recognize applications in live trafficto allow operators to provide service treatments with respect to therecognize applications in the live traffic. UPFs 120-0, 120-1, 120-2 . .. 120-M can provide real time application data for the continuingtraining of the AI models 115-1, 115-2, 115-3 . . . 115-N. A DECcontroller 110 can be implemented to manage multiple UPFs 120-0, 120-1,120-2 . . . 120-M and multiple AI models 115-1, 115-2, 115-3 . . . 115-Nat least with respect DEC operations.

FIG. 2 illustrates an embodiment of an example of a DEC basedclassification framework. A number of applications 212 can be classifiedinto a number of separate DECs 213-1, 213-2, 213-3 . . . 213-N. DEC213-1 can be correlated to AI model 215-1 plus parameters 216-1. DEC213-2 can be correlated to AI model 215-2 plus parameters 216-2. DEC213-3 can be correlated to AI model 215-3 plus parameters 216-3. DEC213-N can be correlated to AI model 215-N plus parameters 216-N. Each ofthe DECs can correspond to different sources of applications. Forexample, DEC(1) 213-1 can be assigned to applications from Google™.DEC(2) 213-2 can be assigned to applications from Facebook™. DEC(3)213-3 can be assigned to applications for transport layer security(TLS). DECs 213-N can be assigned to miscellaneous applications. Allapplications from a source can be part of one DEC. For example, allGoogle applications can be assigned to one DEC.

In some instances, two or more DECs may share the same model, but theirparameters can be different. A parameter is characteristic used todefine or classify a particular application in an AI model. Theparameters can include a hyperparameter. A hyperparameter is aparameter, whose value is set before the training, which is a learningprocess, of a particular AI model begins Values of other parameters forthe particular AI model are derived via training, that is, given thesehyperparameters, the training process learns additional parameters ormodifies parameters from data input to the particular AI model. Thisstructure provides a hierarchical structure in which applications areclassified into DECs per application source with each DEC associatedwith an AI model that can have parameters for different applications ofthe application source.

By dividing the applications of interest into small DECs, an AI modelfor each class can be implemented that is reduced in complexity withrespect to an AI model that addresses multiple classes. For example,DEC(1) 213-1 can be assigned to applications from Google™ dealing onlywith Google applications. This simplification can reduce both trainingand inference time, while achieving high accuracy. Existing studies haveshown that as the number of applications increases, a single AI modelfor these applications becomes more complex, training time and inferencetime also increases, and accuracy becomes lower.

Different DECs may use different AI models. For instance, if there is noambiguity to identify a given set of applications from an applicationprovider, a conventional random forest (RF) algorithm, which is asupervised learning algorithm can be used for both classification andregression analysis, can well address these type of applications. Inother cases, in which applications from an application provider use thesame CDN servers with the same uniform resource locator (URL),traditional AI models may not be suitable for this type of applications.Research has shown that long short-term memory (LSTM) networks, whichare a type of recurrent neural network (RNN) composed of LSTM units, orone dimensional (1D) convolutional neural network (CNN), may be moresuitable techniques. In addition, with increased encrypted traffic,traditional AI models may not meet the challenges provided byencryption. Traditional AI models can include RF, SAE (StackedAutoEncoder), ensemble learning techniques, etc. LSTM and 1D CNN candetect sequential data very well and, based on initial inventor studies,these techniques are more suitable to perform encrypted traffic analysisthan other techniques. However, LSTM and 1D CNN may not perform wellwhen the number of applications increases. A hierarchical approach, astaught herein, can be implemented to narrow down the number ofapplications that each model handles. The first level of thehierarchical approach can be directed to application categoryclassification and the second level can use an AI technique to classifyan individual application under a given category. The AI technique canbe LSTM, 1D CNN, or other AI technique. Algorithms for the first levelcan include using regular expression techniques, policy basedtechniques, even certain simple machine learning algorithms.

A number of different types of AI, which can include machine learning(ML) procedures, can be realized in the creation of the AI models 115-1,115-2, 115-3 . . . 115-N of AI models set 114 of architecture 100FIG. 1. A workflow procedure for the architecture 100 can include dataflow from UPFS 120-0, 120-1, 120-2 . . . 120-M for AI models 115-1,115-2, 115-3 . . . 115-N in cloud 105 and from AI models 115-1, 115-2,115-3 . . . 115-N in cloud 105 for UPFs 120-0, 120-1, 120-2 . . . 120-M.The multiple UPFs 120-0, 120-1, 120-2 . . . 120-M can feed, on acontinuing basis, relevant real time application data to correspondingtraining AI models 115-1, 115-2, 115-3 . . . 115-N in the cloud. Thecontinuing basis for the feed may be a continuous feed, a periodic feed,a polled feed, or the feed can be provided in some other form of arecurring manner. In order to realize such capability, a module insideeach UPF can be constructed to dispatch flows according to DECs. Amodule, herein, is a number of distinct but interrelated software unitsin a memory storage component from which a program can be constructed orinto which an activity, which may be complex, can be analyzed. Themodule typically includes instructions executed by one or moreprocessors in communication with the memory storage and may includehardware associated with the interrelated software units.

With AI models capable of being trained on an on-going basis, AI models115-1, 115-2, 115-3 . . . 115-N of AI models set 114 are also AItraining models 115-1, 115-2, 115-3 . . . 115-N. Multiple models of theAI models 115-1, 115-2, 115-3 . . . 115-N can run in parallel toleverage the multiple core CPU architecture of cloud 105 to handlemultiple DECs. AI training models 115-1, 115-2, 115-3 . . . 115-N cangenerate IF models, using the relevant real time application data fromUPFs 120-0, 120-1, 120-2 . . . 120-M. The IF models are deployed at UPFs120-0, 120-1, 120-2 . . . 120-M. With the relevant real time applicationdata being fed to the AI training models 115-1, 115-2, 115-3 . . . 115-Non a continuing basis, AI training models 115-1, 115-2, 115-3 . . .115-N can keep updating IF models based on the traffic updates. If theIF models, as outputs of corresponding AI models, get updated by the AItraining models 115-1, 115-2, 115-3 . . . 115-N, the updated IF modelscan be pushed from cloud 105 to UPFs 120-0, 120-1, 120-2 . . . 120-M. Invarious embodiments, a UPF of the UPFs 120-0, 120-1, 120-2 . . . 120-Mcan have a different relationship with AI models set than the otherUPFs. This independent relationship for the UPF can include the numberof IF models, which are generated from AI models set 114, disposed andupdated in the UPF, being different from the number of IFs disposed andupdated in the other UPFs of UPFs 120-0, 120-1, 120-2 . . . 120-M. Inother embodiments, each UPF of the UPFs 120-0, 120-1, 120-2 . . . 120-Mcan receive the same set of IF models originating from AI models set114.

FIG. 3 is a representation of an embodiment of an example implementationof cloud based or centralized AI models for a SA engine. An AI modelsset 314 of AI training models 315-1, 315-2 . . . 315-N can be disposedin a cloud 305. AI models set 314 disposed in cloud 305 can be realizedby, or be identical or similar, to AI models set 114 disposed in cloud105 of FIG. 1. In addition to AI models set 314, cloud 305 can include aflow dispatcher 312, a model repository 318, and GW deployment module317.

Flow dispatcher 312 can be a DEC driven flow dispatcher and can berealized as a module in cloud 305. Upon receiving live traffic, flowdispatcher module 312 can obtain the DEC information from the receivedlive traffic. The obtainment can include parsing the received livetraffic using one or more of a number of common parsing techniques.Machine learning techniques can be used to deduce the applicationcategory of the DEC information. Based on the obtainment of the DECinformation, flow dispatcher module 312 can feed the incoming livetraffic to the proper AI training models. The proper AI training modelsto receive the incoming live traffic are those correlated to the DECidentified in the DEC information. For example, for a group of packetsreceived, some packets may include information identifying a DEC tied toapplications of one source and other packets may include informationidentifying a DEC tied to applications of another source.

Each AI training model 315-1, 315-2 . . . 315-N of AI models set 314receives a portion of the received data traffic to cloud 305 as anindividual feed from flow dispatcher 312 based on results from theobtainment of the DEC information by flow dispatcher 312. Each portionis associated with an AI model of AI models set 314 corresponding to theDEC discovered in the obtainment of the DEC information from the livetraffic. Each AI model of AI models set 314, when receiving input fromflow dispatcher 312, can derive an IF model corresponding to the DECassociated with the AI model. The IF model is a model to recognize aservice and a specific application of the service and to process thespecific application. The derivation of the IF model by an AI model ofAI models set 314 can be based on historic data for the DEC associatedwith the AI model and live traffic associated with this DEC. Each AItraining model of the AI training models 315-1, 315-2 . . . 315-Nderives the corresponding IF model, given the associated DEC.

The outputs of AI training models 315-1, 315-2 . . . 315-N can be savedinto model repository (MR) 318. The outputs of AI training models 315-1,315-2 . . . 315-N are to be used as IF models for one or more UPFs. MR318 can be structured to perform a number of functions. With the AItraining models 315-1, 315-2 . . . 315-N receiving live traffic relatedto the DECs associated with AI training models 315-1, 315-2 . . . 315-N,the AI training models 315-1, 315-2 . . . 315-N use the newly receivedlive traffic and historic data to generate new outputs to update IFmodels. When the AI training models 315-1, 315-2 . . . 315-N areupdated, resulting in updated IF models, MR 318 can trigger deploymentof the updates to the IF models to the UPFs corresponding to the IFmodels or updated IF models to the UPFs corresponding to the IF models.When a new UPF joins the network serviced by cloud 305, IF models can bepulled from MR 318 for the new UPF. The pulled IF models can be the mostupdated IF models. In various embodiments, MR 318 can maintain a numberof versions of AI training models 315-1, 315-2 . . . 315-N over a periodto provide historic data.

GW deployment module 317 can interact with MR 310 to handle deploymentof one or more IF models, stored in MR 310, to one or more UPFs. GWdeployment module 317 can deploy the one or more IF models to UPFs on aper UPF basis. When a UPF is deployed in the field defined by a networkoperable with cloud 305, information about this newly deployed UPF canbe served as an input for this GW deployment module 317. The informationprovided can include information on the manner in which communication ofIF modules are to be communicated to the deployed UPF. GW deploymentmodule 317 can push the one or more latest IF model updates to the UPFs.

FIG. 4 is an embodiment of an example UPF gateway 420 that can operatewith a cloud 405 in which AI models 415-1, 415-2 . . . 415-N aredisposed. AI training models 415-1, 415-2 . . . 415-N can be disposed ina cloud 405 and can be realized by or be identical or similar to AItraining models 115-1, 115-2 . . . 115-N disposed in cloud 105 ofFIG. 1. UPF 420 or a UPF identical or similar to UPF 420 can beimplemented as one or more of UPFs 120-0, 120-1, 120-2 . . . 120-M ofFIG. 1. UPF 420 can include a DEC classification (DECC) module 425, atraffic steering module 426, and an IF model 427.

DECC module 425 provides a mechanism to classify flows of interest intoDECs based on the information provided by a policy. Herein, a policyincludes a specification of the type of applications to be classified.For example, if applications from an application source, such as forexample Google, are of interest, DECC module 425 can classify flows intoa Google application group that defines a DEC. DECC module 425 canperform the classification based on domain name system (DNS) messagesvia regular expression checkup. DNS is a hierarchical decentralizednaming system for computers, services, or other resources connected tothe Internet or a private network, where the DNS associates variousinformation with domain names assigned to each of the participatingentities. A regular expression can be entered as part of a command andcan be a pattern made up of symbols, letters, and numbers that representan input string for matching. Matching the string to a specified patternis called pattern matching. To recognize a DEC for classification,pattern recognition or machine learning may also be applied.

Based on the outcome of DEC classification by DECC module 425, trafficsteering module 426 can selectively send flows of interest to AItraining modules 415-1, 415-2 . . . 415-N in cloud 405 or to acentralized location and to IF module 427 in UPF 420. The trafficsteering can be DEC driven. In traffic sent for use by AI trainingmodules 415-1, 415-2 . . . 415-N, DEC information can be added to thetraffic being sent. In traffic sent for interference module 427, thetraffic can be divided according to the DECs recognized in the operationof DECC module 425. To reduce overhead in the traffic sent for use by AItraining modules 415-1, 415-2 . . . 415-N , only part of the flows ofinterest is sent to training modules 415-1, 415-2 . . . 415-N. For theflows of interest sent to IF module 427, the DEC information associatedwith each flow of interest is also sent along with the flow of interestto IF module 427 for use by local IF models 428-1, 428-2 . . . 428-N.The number of IF models in UPF 420 can equal the number of AI models incloud 405. In some UPFs, the number of IF models can be less than thenumber of AI models in cloud 405. In some UPFs associated with anotherset of AI models, the number of IF models can be greater than the numberof AI models in cloud 405, where the excess IF models may be for adifferent source.

IF module 427 can dispatch incoming flows from traffic steering module426 into corresponding ones of IF models 428-1, 428-2 . . . 428-N. Inaddition, IF module 427 can manage the IF models 428-1, 428-2 . . .428-N. Upon receiving an update for a particular IF model from cloud405, IF module 427 can update the particular IF model. The update can bereceived as an update to portions of the particular IF model or as a newversion of the particular IF model. IF module 427 can be involved, inaddition to the update of an IF model in UPF 420, in one or more ofcreation of an IF model in UPF 420 and deletion of an IF model from UPF.

FIG. 5 is an illustration of an embodiment of an example DEC controller510 that interacts with AI models 515-1. . . 515-N and interacts with anumber of UPFs 520-0, 520-1, 520-2 . . . 520-M. DEC controller 510 canreside in a cloud 505 or centralized location. AI models 515-1 . . .515-N can be disposed in a cloud 505 and can be realized by or beidentical or similar to one of AI training models 115-1, 115-2 . . .115-N disposed in cloud 105 of FIG. 1, AI training models 315-1, 315-2 .. . 315-N disposed in cloud 305 of FIG. 3, and AI training models 415-1,415-2 . . . 415-N disposed in cloud 405 of FIG. 4. UPFs 520-0, 520-1,520-2 . . . 520-M can be implemented to be identical or similar to UPF420 of FIG. 4 and can be realized by or be identical or similar to UPFs120-0, 120-1, 120-2 . . . 120-M of FIG. 1. DEC controller 510 can beimplemented in cloud 505.

DEC controller 510 can manage multiple UPFs 520-0, 520-1, 520-2 . . .520-M and multiple AI models 515-1 . . . 515-N. Each UPF of multipleUPFs 520-0, 520-1, 520-2 . . . 520-M can include a DEC classificationmodule 525 that classifies input traffic based on recognized DECs andprovides the input traffic along with DEC information for IF models528-1, 528-2 . . . 528-N in an IF module 527. DEC classification module525, IF models 528-1, 528-2 . . . 528-N, and IF module 527 can beimplemented to be identical or similar to DEC classification module 425,IF models 428-1, 428-2 . . . 428-N, and IF module 427 of FIG. 4.

DEC controller 510 can acquire inputs regarding an application ofinterest and a desired AI model for the application of interest.Parameters for the desired AI model can be included in the inputsregarding the AI model. The information may be provided by a userinterface associated with the instruments of cloud 505. With thisinformation, DEC controller 510 can create an AI module in cloud 505,where the created AI model corresponds to the application of interest.For example, AI models 515-1 . . . 515-N can have been created by DECcontroller 510. Upon creation, an AI model is a training AI model, and,after a threshold amount of training, the training AI model becomes anoperational/inference AI model. However, data can be provided to theoperational AI model that can be used to further train the operationalAI model such that the operational model is also a training AI model.The training AI models 515-1 . . . 515-N provide outputs that are usedas the IF models 428-1, 428-2 . . . 428-N in one or more of the UPFs520-0, 520-1, 520-2 . . . 520-M.

DEC controller 510 can manage UPFs 520-0, 520-1, 520-2 . . . 520-M withrespect to application recognition by installing information regardingeach application to be recognized and the associated DEC to which suchapplication is mapped. This information can include desired rules foreach application having an associated DEC. DEC controller 510 canprovide the information directed to DEC classification module 525 forinstallation in DEC classification module 525 at the UPF regarding theDECs corresponding to the UPF. The rules instilled by DEC controller 510into DEC classification module 525 can be on a per application categorybasis and/or a per UPF basis. DEC controller 510 can also operate increation of IFs in IF module 527 and in deletion of IFs in IF module527, for example, by controlling such operations.

The structures discussed in each of the FIGS. 1-5 may be implementedwith features of the corresponding structures in the other Figures, astaught herein. In addition, separate modules in the UPFs, as discussedherein, may be integrated into a single module in the UPFs and separatemodules in the clouds, as discussed herein, may be integrated into asingle module in the cloud. For example, flow dispatcher 312 of FIG. 3may be integrated with a DEC controller 110 of FIG. 1 or DEC controller510 of FIG. 5 into a single module. GW deployment module 317 may beintegrated into MR 318. DEC classification module 425 and trafficsteering module 426 may be integrated into a single module. One or bothof DEC classification module 425 and traffic steering module 426 may beintegrated with IF module 427 into a single module.

As discussed with respect to FIGS. 1 and 4, DEC information can beshared among traffic steering module 426, IF module 427, clouds 105 and405. The DEC information can be carried with the traffic flows. FIG. 6illustrates an approach to carry a DEC identification from a packetheader. The packet header may be an optional header with respect toheaders currently included in communication packets. DEC information,added into an optional packet header, can be extracted at both a cloudend, such as in clouds 105 of FIG. 1, cloud 305 of FIG. 5, cloud 405 ofFIG. 4, and cloud 5 of FIG. 5, and at an IF module such as IF module 427of FIG. 4 and IF module 527 of FIG. 5.

The header 670 including identification of DEC information can beincluded in a stack above an internet address 672 and a timestamp 674.Header 670 can be arranged as four octets 675-1, 675-2, 675-3 and 675-4.The eight bits of octet 675-4 can be allocated for an overflow indicatorand a flag, depending on the packet. The eight bits of octets 675-3 and675-2 can be allocated for a pointer and length, respectively. DECidentification can be included within the eight bits of octet 675-1. Bit0 of octet 675-1 can be used to indicate not copied or copied. Bits 1and 2 of octet 625-1 can be used to identify one or four possibleclasses: control, reserved, debugging and measurement, and DEC. Withbits 1 and 2 both set to one, which can be taken to be binary for three.The entry of bits 1 and 2 corresponding to three can be used to identifythat header 670 is providing DEC information. With entry of bits 1 and 2corresponding to three, the five bits 3 to 7 in octet 675-1 provide acode identifying a specific DEC. Both the transmitting module of DECinformation and the recipient module of the packet with header 670 caninclude a table or other storage format that maps the five bits 3 to 7in octet 675-1 to a specific DEC. Other formats or techniques can beused to provide DEC information in a packet.

Other mechanisms may be used to communicate DEC information. Use can bemade a characteristic of hypertext transfer protocol (HTTP) protocol.When an object is retrieved using the HTTP protocol, the protocol allowsinformation about the object to be provided when sent. For externalcommunication, support is provided for enabling DEC information in HTTPmetadata. Metadata can be used as HTTP optional header for packetsbelonging to a given DEC. For example, packets belonging to a source ofone or more applications can have the name of the source listed in aHTTP optional custom header. For example, an optional custom header fora packet can include DEC ID: source name. Values can be added to apacket to indicate that the packet has certain attributes. A moduleinside a cloud can be constructed to support such mechanism to read theDEC information for AI training models. The module may be part of a DECcontroller such as DEC controller 110 of FIG. 1 or as DEC controller 510of FIG. 5. Such a module inside a cloud may be part of a flow dispatchersuch as flow dispatcher 312 of FIG. 3.

For communications regarding DEC information sharing inside a UPF,internal messaging or optional IP header can be used. The optional IPheader can be identical or similar to header 670 of FIG. 6. Other headerformats may be used. Other techniques to incorporate DEC informationwith communication traffic may be implemented.

FIG. 7 is a flow diagram of an embodiment of an example method 700 ofoperating a system to enable recognition of an application in networkdata flows. Method 700 can be implemented as a computer-implementedmethod using a memory storage comprising instructions and one or moreprocessors in communication with the memory storage, where the one ormore processors execute instructions of the memory storage. At operation710, DEC information from data traffic received from a network isobtained. A DEC corresponds to a class of traffic that is mapped to anAI model associated with parameters related to the class of traffic. Theobtainment can include parsing the received data traffic using one ormore of a number of common parsing techniques. Obtainment of the DECinformation can include reading a packet header to extract the DECinformation, reading a packet having the DEC listed in a HTTP customheader, or using machine learning to deduce the DEC information.

At operation 720, portions of the received data traffic are fed to an AImodel set based on results from the obtainment of the DEC information,where each portion is associated with an AI model of the AI model set.At operation 730, using each AI model of the AI model set, an IF modelcorresponding to the DEC associated with each AI model is derived, wherethe IF model recognizes a service and a specific application of theservice. Each IF model derived by its corresponding AI model can besaved to a model repository. At 740, deployment of one or more IF modelsto one or more UPF gateways is handled.

Variations of the method 700 or methods similar to the method 700 caninclude a number of different embodiments that may be combined dependingon the application of such methods and/or the architecture of systems inwhich such methods are implemented. Such methods can include triggeringdeployment of an IF model update to the one or more UPF gateways upongeneration of the IF model update. Generation of the IF model update canbe performed by a corresponding AI model. Variations can includereceiving UPF gateway information from a newly added UPF gateway. TheUPF gateway information can include information regarding the manner inwhich communications can be made with the UPF gateway.

Variations of the method 700 or methods similar to the method 700 caninclude performing operations as a DEC controller to manage multiple UPFgateways and the AI model set. Performing the operations as the DECcontroller can include: acquiring inputs on an application of interestand inputs for an AI model associated with the application of interest;creating the AI model in the system corresponding to parametersassociated with the application of interest for inclusion in the AImodel set; and installing rules at the one or more UPF gateways toinclude the application of interest for DEC classification at the one ormore UPF gateways. Performing the operations as the DEC controller caninclude creating or deleting IF models in a UPF gateway.

FIG. 8 is a flow diagram of an embodiment of an example method 800 ofoperating a gateway enabled to recognize an application in network dataflows. Method 800 can be implemented as a computer-implemented methodusing a memory storage comprising instructions and one or moreprocessors in communication with the memory storage, where the one ormore processors execute instructions of the memory storage. At operation810, flows of data traffic received from a network are classified in agateway into DECs. As previously noted, a DEC corresponds to a class oftraffic that is mapped to an AI model associated with parameters relatedto the class of traffic. The classification of the flows of data trafficcan be based on information in a stored policy that specifies types ofapplications to classify. In one option for application categoryclassification, the flows of data can be classified into DECs based ondomain name system messages via regular expression checkup. Othermechanisms for application category classification can be implemented.

At 820, the flows are selectively directed to AI models in a systemexterior to the gateway, based on the classification of the flows. Theflows to the AI models can include a packet header for an individualflow having DEC information associated with the individual flow or ahypertext transfer protocol (HTTP) custom header for an individual flowhaving the DEC corresponding to the individual flow. Selectivelydirecting the flows to the AI models can include only sending a part ofthe flows to the AI models.

At 830, the flows are sent to an IF models set in the gateway, based onthe classification of the flows, along with DEC informationcorresponding to each IF model of the IF models set, with each IF modelrecognizing a service and a specific application of the service. At 840,each IF model of the IF models set is managed in response to receivingan update for each IF model.

In various embodiments, a non-transitory machine-readable storagedevice, such as computer-readable non-transitory media, can compriseinstructions stored thereon, which, when executed by components of amachine, cause the machine to perform operations, where the operationscomprise one or more features similar to or identical to features ofmethods and techniques described with respect to method 700, method 800,variations thereof, and/or features of other methods taught herein suchas associated with FIGS. 1-6. The physical structures of suchinstructions may be operated on by one or more processors. For example,executing these physical structures can cause the machine to performoperations comprising: obtaining, with the one or more processors, DECinformation from data traffic received from a network, wherein a DECcorresponds to a class of traffic that is mapped to an AI modelassociated with parameters related to the class of traffic; feeding,with the one or more processors, portions of the received data trafficto an AI model set based on results from the obtainment of the DECinformation, each portion associated with an AI model of the AI modelset; deriving, using each AI model of the AI model set, an IF modelcorresponding to the DEC associated with each AI model, the IF modelrecognizing a service and a specific application of the service; andhandling, with the one or more processors, deployment of one or more IFmodels to one or more UPF gateways.

In another example, executing physical structures of a non-transitorymachine-readable storage device of another machine, using one or moreprocessors of the other machine, can cause this machine to performoperations comprising: classifying, in a gateway, flows of data trafficreceived from a network into DECs, wherein a DEC corresponds to a classof traffic that is mapped to an AI model associated with parametersrelated to the class of traffic; selectively direct the flows to AImodels in a system exterior to the gateway, based on the classificationof the flows; send the flows to an IF models set in the gateway, basedon the classification of the flows, along with DEC informationcorresponding to each IF model of the IF models set, each IF modelrecognizing a service and a specific application of the service; andmanaging each IF model of the IF models set in response to receiving anupdate for each IF model.

FIG. 9 is a block diagram illustrating circuitry for devices forimplementing algorithms and performing methods of providing AI basedhierarchical service awareness, according to the teachings herein. FIG.9 depicts a device 900 having a non-transitory memory storage 901storing instructions, a cache 907, and a processing unit 902, coupled toa bus 920. Processing unit 902 can include one or more processorsoperatively in communication with non-transitory memory storage 901 andcache 907. The one or more processors can be structured to execute theinstructions to operate device 900 according to any of the methodstaught herein. Device 900 may be structured in a cloud operable with oneor more UPFs associated with one or more networks to enable applicationrecognition in the one or more UPFs for service awareness. Device 900may be structured in a UPF to provide application recognition forservice awareness in conjunction with a cloud.

In cloud instrumentation, the one or more processors can be structuredto execute instructions to: obtain DEC information from data trafficreceived from a network, wherein a DEC corresponds to a class of trafficthat is mapped to an AI model associated with parameters related to theclass of traffic; feed portions of the received data traffic to an AImodel set based on results from the obtainment of the DEC information,each portion associated with an AI model of the AI model set; derive,using each AI model of the AI model set, an IF model corresponding tothe DEC associated with each AI model, the IF model recognizing aservice and a specific application of the service; and handle deploymentof one or more IF models to one or more UPF gateways. The one or moreprocessors in the cloud instrumentation can execute other cloud basedfunctions, as taught herein.

In a UPF, the one or more processors can be structured to executeinstructions to: classify flows of data traffic received from a networkinto decode equivalent class (DECs), wherein a DEC corresponds to aclass of traffic that is mapped to an artificial intelligence (AI) modelassociated with parameters related to the class of traffic; selectivelydirect the flows to AI models in a system exterior to the gateway, basedon the classification of the flows; send the flows to an inferencemodels set in the gateway, based on the classification of the flows,along with DEC information corresponding to each inference model of theinference models set, each inference model recognizing a service and aspecific application of the service; and manage each inference model ofthe inference models set in response to receiving an update for eachinference model. The one or more processors in the UPF can execute otherUPF based functions, as taught herein.

Device 900 can include a communication interface 916 operable tocommunicate among devices and systems associated with a cloud to whichdevice 900 is associated. The communication interface 916 may be part ofa data bus that can be used to receive the data traffic for processing.

Non-transitory memory storage 901 may be realized as machine-readablemedia, such as computer-readable media, and may include volatile memory914 or non-volatile memory 908. Device 900 may include or have access toa computing environment that includes a variety of machine-readablemedia including as computer-readable media, such as volatile memory 914,non-volatile memory 908, removable storage 911, or non-removable storage922. Such machine-readable media may be used with instructions in one ormore programs 918 executed by device 900. Cache 907 may be realized as aseparate memory component or part of one or more of volatile memory 914,non-volatile memory 908, removable storage 911, or non-removable storage922. Memory storage can include random access memory (RAM), read onlymemory (ROM), erasable programmable read-only memory (EPROM),electrically erasable programmable read-only memory (EEPROM), flashmemory or other memory technologies, compact disc read-only memory (CDROM), Digital Versatile Disks (DVD) or other optical disk storage,magnetic cassettes, magnetic tape, magnetic disk storage or othermagnetic storage devices, or any other medium capable of storingcomputer-readable instructions.

Device 900 may include or have access to a computing environment thatincludes input interface 926 and output interface 924. Output interface924 may include a display device, such as a touchscreen, that also mayserve as an input device. Input interface 926 may include one or more ofa touchscreen, touchpad, mouse, keyboard, camera, one or moredevice-specific buttons, one or more sensors integrated within orcoupled via wired or wireless data connections to device 900, and otherinput devices.

Device 900 may operate in a networked environment using a communicationconnection to connect to one or more other devices that are remote. Suchremote devices may be identical or similar to device 900 or may bedifferent types of devices having features similar or identical tofeatures of device 900 or other features, as taught herein, to handleservice awareness processing. The remote devices may include computers,such as database servers. Such remote computers may include a personalcomputer (PC), server, router, network PC, a peer device or other commonnetwork node, or the like. The communication connection may include aLocal Area Network (LAN), a Wide Area Network (WAN), cellular, WiFi,Bluetooth, or other networks.

Machine-readable instructions, such as computer-readable instructionsstored on a computer-readable medium, are executable by the processingunit 902 of the device 900. A hard drive, CD-ROM, and RAM are someexamples of articles including a non-transitory computer-readable mediumsuch as a storage device. The terms machine-readable medium,computer-readable medium, and storage device do not include carrierwaves to the extent carrier waves are deemed transitory. Storage canalso include networked storage such as a storage area network (SAN).

Device 900 can be realized as a computing device that may be indifferent forms in different embodiments, as part of a network such as aSDN/IoT network. For example, device 900 may be a smartphone, a tablet,smartwatch, other computing device, or other types of devices havingwireless communication capabilities, where such devices includecomponents to engage in the distribution and storage of items ofcontent, as taught herein. Devices, such as smartphones, tablets,smartwatches, and other types of device having wireless communicationcapabilities, are generally collectively referred to as mobile devicesor user equipment. In addition, some of these devices may be consideredas systems for the functions and/or applications for which they areimplemented. Further, although the various data storage elements areillustrated as part of the device 900, the storage may also oralternatively include cloud-based storage accessible via a network, suchas the Internet or server based storage.

Further, machine-readable storage devices, such as computer-readablenon-transitory media, herein, are physical devices that stores datarepresented by physical structure within the respective device. Such aphysical device is a non-transitory device. Examples of machine-readablestorage devices can include, but are not limited to, read only memory(ROM), random access memory (RAM), a magnetic disk storage device, anoptical storage device, a flash memory, or other electronic, magnetic,and/or optical memory devices. The machine-readable device may be amachine-readable medium such as memory 901 of FIG. 9. Terms such as“memory,” “memory module,” “machine-readable medium,” “machine-readabledevice,” and similar terms should be taken to include all forms ofstorage media, either in the form of a single medium (or device) ormultiple media (or devices), in all forms. For example, such structurescan be realized as centralized database(s), distributed database(s),associated caches, and servers; one or more storage devices, such asstorage drives (including but not limited to electronic, magnetic, andoptical drives and storage mechanisms), and one or more instances ofmemory devices or modules (whether main memory; cache storage, eitherinternal or external to a processor; or buffers). Terms such as“memory,” “memory module,” “machine-readable medium,” and“machine-readable device,” shall be taken to include any tangiblenon-transitory medium which is capable of storing or encoding a sequenceof instructions for execution by the machine and that cause the machineto perform any one of the methodologies taught herein. The term“non-transitory” used in reference to a “machine-readable device,”“medium,” “storage medium,” “device,” or “storage device” expresslyincludes all forms of storage drives (optical, magnetic, electrical,etc.) and all forms of memory devices (e.g., DRAM, Flash (of all storagedesigns), SRAM, MRAM, phase change, etc., as well as all otherstructures designed to store data of any type for later retrieval.

In various embodiments, a system can be implemented to enableapplication recognition in data traffic for service awareness. Such asystem can comprise a memory storage comprising instructions and one ormore processors in communication with the memory storage. The one ormore processors can execute the instructions to: obtain DEC informationfrom data traffic received from a network, wherein a DEC corresponds toa class of traffic that is mapped to an AI model associated withparameters related to the class of traffic; feed portions of thereceived data traffic to an AI model set based on results from theobtainment of the DEC information, each portion associated with an AImodel of the AI model set; derive, using each AI model of the AI modelset, an IF model corresponding to the DEC associated with each AI model,the IF model recognizing a service and a specific application of theservice; and handle deployment of one or more IF models to one or moreUPF gateways.

Variations of such a system or similar systems can include a number ofdifferent embodiments that may be combined depending on the applicationof such systems and/or the architecture in which such systems areimplemented. Such systems can include the one or more processorsconfigured to execute instructions to trigger deployment of an IF modelupdate to the one or more UPF gateways upon generation of the If modelupdates. The one or more processors can execute instructions to receiveUPF gateway information from a newly added UPF gateway. The received UPFgateway information can include communication manner information for thenewly added UPF gateway.

Variations of such a system or similar systems can include instructionsthat are executable by the one or more processors to perform operationsas a DEC controller, managing multiple UPF gateways and the AI modelset. The operations as a DEC controller can include operations to:acquire inputs on an application of interest and inputs for an AI modelassociated with the application of interest; create the AI model in thesystem corresponding to parameters associated with the application ofinterest for inclusion in the AI model set; and install rules at the oneor more UPF gateways to include the application of interest for DECclassification at the one or more UPF gateways. The operations as a DECcontroller can include operations to create or delete IF models in a UPFgateway.

Variations of such a system or similar systems can include theobtainment of the DEC information performed by parsing received datatraffic using one or more of a number of common parsing techniques. Theobtainment of the DEC information can be performed by reading a packetheader to extract the DEC information. Other obtainment techniques caninclude using machine learning to deduce the DEC information or readinga packet having the DEC listed in a hypertext transfer protocol (HTTP)custom header.

In various embodiments, a UPF can be implemented for applicationrecognition in data traffic for service awareness. Such a UPF cancomprise a memory storage comprising instructions, and one or moreprocessors in communication with the memory storage. The one or moreprocessors can execute the instructions to: classify flows of datatraffic received from a network into DECs, wherein a DEC corresponds toa class of traffic that is mapped to an AI model associated withparameters related to the class of traffic; selectively direct the flowsto AI models in a system exterior to the gateway, based on theclassification of the flows; send the flows to an IF models set in thegateway, based on the classification of the flows, along with DECinformation corresponding to each IF model of the IF models set, each IFmodel recognizing a service and a specific application of the service;and manage each IF model of the IF models set in response to receivingan update for the IF model.

Variations of such a UPF or similar UPFs can include a number ofdifferent embodiments that may be combined depending on the applicationof such UPFs and/or the architecture in which such UPFs are implemented.Such UPFs can include the one or more processors configured to classifythe flows of data traffic based on information in a stored policy thatspecifies types of applications to classify. Such UPFs can include theone or more processors configured to classify flows of data into DECsbased on domain name system messages via regular expression checkup.Such UPFs can include the one or more processors can be configured toselectively direct the flows to the AI models by sending a part of theflows to the AI models. Such UPFs can include the flows to the AI modelsto include a packet header for an individual flow having DEC informationassociated with the individual flow or a hypertext transfer protocol(HTTP) custom header for an individual flow having the DEC correspondingto the individual flow.

Devices, systems, and methods implemented using an AI based hierarchicalSA engine, as taught herein, can provide real time recognition of anapplication in a network. This implementation can provide for deploymentof SA in the network. Such a network can be a mobile core network. Evenwith the increasing number of mobile applications being supported in thenetwork, this implementation may achieve real time recognition with highaccuracy.

In a hierarchical SA engine, DECs that correspond to AI models andparameters can be used recognize applications. Results from using DECsin gateways in a network can be used to further train the AI models,which AI models, in turn, provide IF models to the gateways in thenetwork. The gateways can use the IF models to recognize an applicationin flows of communication traffic, allowing operators at the gateways amechanism to apply a service treatment to the communication flowassociated with the recognized application. The gateways can be deployedin the network in a distributed manner. The gateways can be UPF gatewaysin mobile networks. The structure for an SA engine, as taught herein,can allow for the timely updates of IF models at gateways, enhancing thereal time recognition of specific applications in communication trafficflows.

Although the present disclosure has been described with reference tospecific features and embodiments thereof, it is evident that variousmodifications and combinations can be made thereto without departingfrom scope of the disclosure. The specification and drawings are,accordingly, to be regarded simply as an illustration of the disclosureas defined by the appended claims, and are contemplated to cover any andall modifications, variations, combinations or equivalents that fallwithin the scope of the present disclosure.

What is claimed is:
 1. A system, comprising: a memory storage comprisinginstructions; and one or more processors in communication with thememory storage, wherein the one or more processors execute theinstructions to: obtain decode equivalent class (DEC) information fromdata traffic received from a network; feed portions of the received datatraffic to an artificial intelligence (AI) model set based on resultsfrom the obtainment of the DEC information, each portion associated withan AI model of the AI model set; derive, using each AI model of the AImodel set, an inference model corresponding to the DEC associated witheach AI model, the inference model recognizing a service and a specificapplication of the service; and handle deployment of one or moreinference models to one or more user plane function (UPF) gateways. 2.The system of claim 1, wherein the one or more processors executeinstructions to trigger deployment of an inference model update to theone or more UPF gateways upon generation of the inference model updates.3. The system of claim 1, wherein the one or more processors executeinstructions to receive UPF gateway information from a newly added UPFgateway.
 4. The system of claim 3, wherein the received UPF gatewayinformation includes communication manner information for the newlyadded UPF gateway.
 5. The system of claim 1, wherein the instructionsare executable by the one or more processors to perform operations as aDEC controller, managing multiple UPF gateways and the AI model set. 6.The system of claim 5, wherein the operations as a DEC controllerinclude operations to: acquire inputs on an application of interest andinputs for an AI model associated with the application of interest;create the AI model in the system corresponding to parameters associatedwith the application of interest for inclusion in the AI model set; andinstall rules at the one or more UPF gateways to include the applicationof interest for DEC classification at the one or more UPF gateways. 7.The system of claim 5, wherein the operations as a DEC controllerinclude operations to create or delete inference models in a UPFgateway.
 8. The system of claim 1, wherein the obtainment of the DECinformation includes reading a packet header to extract the DECinformation or using machine learning to deduce the DEC information. 9.The system of claim 1, wherein the obtainment of the DEC informationincludes reading a packet having the DEC listed in a hypertext transferprotocol (HTTP) custom header.
 10. A gateway, comprising: a memorystorage comprising instructions; and one or more processors incommunication with the memory storage, wherein the one or moreprocessors execute the instructions to: classify flows of data trafficreceived from a network into decode equivalent class (DECs); selectivelydirect the flows to artificial intelligence (AI) models in a systemexterior to the gateway, based on the classification of the flows; sendthe flows to an inference models set in the gateway, based on theclassification of the flows, along with DEC information corresponding toeach inference model of the inference models set, each inference modelrecognizing a service and a specific application of the service; andmanage each inference model of the inference models set in response toreceiving an update for each inference model.
 11. The gateway of claim10, wherein the one or more processors classify the flows of datatraffic based on information in a stored policy that specifies types ofapplications to classify.
 12. The gateway of claim 10, wherein the oneor more processors classify flows of data into DECs based on domain namesystem messages via regular expression checkup.
 13. The gateway of claim10, wherein the one or more processors selectively direct the flows tothe AI models by sending a part of the flows to the AI models.
 14. Thegateway of claim 10, wherein the flows to the AI models include a packetheader for an individual flow having DEC information associated with theindividual flow or a hypertext transfer protocol (HTTP) custom headerfor an individual flow having the DEC corresponding to the individualflow.
 15. A computer-implemented method for operating a system torecognize an application in network data flows, the computer-implementedmethod comprising: obtaining, with one or more processors, decodeequivalent class (DEC) information from data traffic received from anetwork; feeding, with the one or more processors, portions of thereceived data traffic to an artificial intelligence (AI) model set basedon results from the obtainment of the DEC information, each portionassociated with an AI model of the AI model set; deriving, using each AImodel of the AI model set, an inference model corresponding to the DECassociated with each AI model, the inference model recognizing a serviceand a specific application of the service; and handling, with the one ormore processors, deployment of one or more inference models to one ormore user plane function (UPF) gateways.
 16. The computer-implementedmethod of claim 15, wherein the computer-implemented method includestriggering deployment of an inference model update to the one or moreUPF gateways upon generation of the inference model update.
 17. Thecomputer-implemented method of claim 15, wherein thecomputer-implemented method includes receiving UPF gateway informationfrom a newly added UPF gateway.
 18. The computer-implemented method ofclaim 15, wherein the computer-implemented method includes performingoperations as a DEC controller to manage multiple UPF gateways and theAI model set.
 19. The computer-implemented method of claim 18, whereinperforming the operations as the DEC controller includes: acquiringinputs on an application of interest and inputs for an AI modelassociated with the application of interest; creating the AI model inthe system corresponding to parameters associated with the applicationof interest for inclusion in the AI model set; and installing rules atthe one or more UPF gateways to include the application of interest forDEC classification at the one or more UPF gateways.
 20. Thecomputer-implemented method of claim 18, wherein performing theoperations as the DEC controller includes creating or deleting inferencemodels in a UPF gateway.